FMWK-773 Dockerize backup CLI tools #297
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #297 +/- ##
==========================================
- Coverage 80.16% 80.02% -0.15%
==========================================
Files 93 93
Lines 9374 9495 +121
==========================================
+ Hits 7515 7598 +83
- Misses 1428 1459 +31
- Partials 431 438 +7 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-authored-by: Eugene R. <yrizhkov@aerospike.com>
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…ps://github.com/aerospike/backup-go into APPS-1729-create-dockerfile-for-backup-cli-tool
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Checkout Code | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| fetch-depth: 1 | ||
|
|
||
| - name: Get Metadata | ||
| run: | | ||
| git fetch --tags --depth=1 | ||
| LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) | ||
| echo "BUNDLE_VERSION=$LATEST_TAG" >> $GITHUB_ENV | ||
| echo "BUNDLE_NAME=aerospike-backup-tools" >> $GITHUB_ENV | ||
|
|
||
| - name: Login to JFrog | ||
| uses: jfrog/setup-jfrog-cli@ff5cb544114ffc152db9cea1cd3d5978d5074946 # v4.5.11 | ||
| env: | ||
| JF_URL: ${{ vars.ARTIFACTORY_URL }} | ||
| JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }} | ||
| JF_PROJECT: ${{ vars.JFROG_CLI_BUILD_PROJECT }} | ||
|
|
||
| - name: Promote to JFrog STAGE Environment | ||
| run: | | ||
| jfrog release-bundle-promote "$BUNDLE_NAME" "$BUNDLE_VERSION" \ | ||
| --signing-key="aerospike" --project="ecosystem" STAGE | ||
|
|
||
| promote-to-dockerhub: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
To fix the issue, we will add a permissions block at the root of the workflow file. This block will apply to all jobs in the workflow unless overridden at the job level. Since the workflow does not appear to require write permissions for the GITHUB_TOKEN, we will set the permissions to contents: read, which is the minimal required permission for most workflows.
| @@ -1,2 +1,4 @@ | ||
| name: Promote Images to DockerHub | ||
| permissions: | ||
| contents: read | ||
| on: |
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Checkout Code | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||
| with: | ||
| fetch-depth: 1 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@18ce135bb5112fa8ce4ed6c17ab05699d7f3a5e0 # v3.11.0 | ||
| - name: Login to DockerHub | ||
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | ||
| with: | ||
| registry: docker.io | ||
| username: ${{ secrets.DOCKER_USER }} | ||
| password: ${{ secrets.DOCKER_PASSWORD }} | ||
| - name: Get Metadata | ||
| run: | | ||
| git fetch --tags --depth=1 | ||
| LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`) | ||
| echo "TAG=$LATEST_TAG" >> $GITHUB_ENV | ||
| echo "REPO_NAME=aerospike-backup-tools" >> $GITHUB_ENV | ||
| - name: Promote to DockerHub | ||
| env: | ||
| TAG: ${{env.TAG}} | ||
| REPO_NAME: ${{env.REPO_NAME}} | ||
| ARTIFACTORY_CONTAINER_DEV: ${{ vars.ARTIFACTORY_CONTAINER_DEV }} | ||
| run: | | ||
| set -euo pipefail | ||
|
|
||
| url="https://aerospike.jfrog.io/artifactory/$ARTIFACTORY_CONTAINER_DEV/$REPO_NAME/$TAG/list.manifest.json" | ||
| amd64_digest="$(curl -sSL "$url" | jq -r '.manifests[] | select(.platform.architecture == "amd64") | .digest')" | ||
| arm64_digest="$(curl -sSL "$url" | jq -r '.manifests[] | select(.platform.architecture == "arm64") | .digest')" | ||
|
|
||
| if [[ -z "$amd64_digest" || -z "$arm64_digest" ]]; then | ||
| echo "Error: Could not resolve image digests." | ||
| exit 1 | ||
| fi | ||
|
|
||
| amd64_tag="davi17g/$REPO_NAME:$TAG-amd64" | ||
| arm64_tag="davi17g/$REPO_NAME:$TAG-arm64" | ||
| multiarch_tag="davi17g/$REPO_NAME:$TAG" | ||
|
|
||
| docker pull "aerospike.jfrog.io/$ARTIFACTORY_CONTAINER_DEV/$REPO_NAME@$amd64_digest" | ||
| docker pull "aerospike.jfrog.io/$ARTIFACTORY_CONTAINER_DEV/$REPO_NAME@$arm64_digest" | ||
|
|
docker tag "aerospike.jfrog.io/$ARTIFACTORY_CONTAINER_DEV/$REPO_NAME@$amd64_digest" "$amd64_tag" | |
| docker tag "aerospike.jfrog.io/$ARTIFACTORY_CONTAINER_DEV/$REPO_NAME@$arm64_digest" "$arm64_tag" | ||
|
|
||
| docker push "$amd64_tag" | ||
| docker push "$arm64_tag" | ||
|
|
||
| docker manifest create "$multiarch_tag" "$amd64_tag" "$arm64_tag" | ||
|
|
||
| docker manifest annotate "$multiarch_tag" "$amd64_tag" --arch amd64 | ||
| docker manifest annotate "$multiarch_tag" "$arm64_tag" --arch arm64 | ||
|
|
||
| docker manifest push "$multiarch_tag" |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 11 hours ago
To fix the issue, we need to add a permissions block to the workflow. This block should specify the least privileges required for the workflow to function correctly. Since the workflow does not modify repository contents, we can set contents: read at the root level of the workflow. This ensures that all jobs inherit the minimal permissions unless explicitly overridden.
The permissions block should be added at the root level of the workflow file, right after the name field.
| @@ -1,2 +1,4 @@ | ||
| name: Promote Images to DockerHub | ||
| permissions: | ||
| contents: read | ||
| on: |
No description provided.